GeoNode · afabiani · Nov 7, 2022 · Nov 7, 2022
diff --git a/geonode/base/api/views.py b/geonode/base/api/views.py
@@ -634,7 +634,7 @@ def resource_service_permissions(self, request, pk):
         url_name="set-thumb-from-bbox",
         methods=["post"],
         permission_classes=[
-            IsAuthenticated, UserHasPerms
+            IsAuthenticated, UserHasPerms(perms_dict={"default": {"POST": ["base.add_resourcebase"]}})
         ])
     def set_thumbnail_from_bbox(self, request, resource_id):
         import traceback
@@ -784,7 +784,7 @@ def resource_service_ingest(self, request, resource_type: str = None):
         url_name="resource-service-create",
         methods=["post"],
         permission_classes=[
-            IsAuthenticated, UserHasPerms
+            IsAuthenticated, UserHasPerms(perms_dict={"default": {"POST": ["base.add_resourcebase"]}})
         ])
     def resource_service_create(self, request, resource_type: str = None):
         """Instructs the Async dispatcher to execute a 'CREATE' operation
@@ -1185,7 +1185,7 @@ def resource_service_copy(self, request, pk):
         url_name="ratings",
         methods=['post', 'get'],
         permission_classes=[
-            IsAuthenticatedOrReadOnly, UserHasPerms
+            IsAuthenticatedOrReadOnly, UserHasPerms(perms_dict={"default": {"POST": ["base.add_resourcebase"]}})
         ])
     def ratings(self, request, pk):
         resource = get_object_or_404(ResourceBase, pk=pk)
@@ -1304,7 +1304,7 @@ def set_thumbnail(self, request, pk):
         detail=True,
         methods=["get", "put", "delete", "post"],
         permission_classes=[
-            IsOwnerOrAdmin, UserHasPerms
+            IsOwnerOrAdmin, UserHasPerms(perms_dict={"default": {"POST": ["base.add_resourcebase"]}})
         ],
         url_path=r"extra_metadata",  # noqa
         url_name="extra-metadata",

diff --git a/geonode/geoapps/api/views.py b/geonode/geoapps/api/views.py
@@ -42,7 +42,7 @@ class GeoAppViewSet(DynamicModelViewSet):
     """
     http_method_names = ['get', 'patch', 'post', 'put']
     authentication_classes = [SessionAuthentication, BasicAuthentication, OAuth2Authentication]
-    permission_classes = [IsAuthenticatedOrReadOnly, UserHasPerms]
+    permission_classes = [IsAuthenticatedOrReadOnly, UserHasPerms(perms_dict={"default": {"POST": ["base.add_resourcebase"]}})]
     filter_backends = [
         DynamicFilterBackend, DynamicSortingFilter, DynamicSearchFilter,
         ExtentFilter, GeoAppPermissionsFilter

diff --git a/geonode/layers/api/views.py b/geonode/layers/api/views.py
@@ -55,7 +55,7 @@ class DatasetViewSet(DynamicModelViewSet):
     """
     http_method_names = ['get', 'patch', 'put']
     authentication_classes = [SessionAuthentication, BasicAuthentication, OAuth2Authentication]
-    permission_classes = [IsAuthenticatedOrReadOnly, UserHasPerms]
+    permission_classes = [IsAuthenticatedOrReadOnly, UserHasPerms(perms_dict={"default": {"POST": ["base.add_resourcebase"]}})]
     filter_backends = [
         DynamicFilterBackend,
         DynamicSortingFilter,

diff --git a/geonode/maps/api/views.py b/geonode/maps/api/views.py
@@ -54,7 +54,7 @@ class MapViewSet(DynamicModelViewSet):
 
     http_method_names = ['get', 'patch', 'post', 'put']
     authentication_classes = [SessionAuthentication, BasicAuthentication, OAuth2Authentication]
-    permission_classes = [IsAuthenticatedOrReadOnly, UserHasPerms]
+    permission_classes = [IsAuthenticatedOrReadOnly, UserHasPerms(perms_dict={"default": {"POST": ["base.add_resourcebase"]}})]
     filter_backends = [
         DynamicFilterBackend,
         DynamicSortingFilter,